Setup 2FA with YubiKey and LUKS


i would like to setup two-factor-authentication with yubikey-full-disk-encryption.
At the moment I’m using the disk-encryption which one can choose during the installation process of Manjaro in combination with a separate encrypted home partition on a second hard drive.

This is my partition structure:

NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                                   8:0    0   1,8T  0 disk 
└─sda1                                                8:1    0   1,8T  0 part 
└─sda1_crypt                                        254:2    0   1,8T  0 crypt /home
nvme0n1                                             259:0    0 476,9G  0 disk           
├─nvme0n1p1                                         259:1    0   300M  0 part  /boot/efi
├─nvme0n1p2                                         259:2    0 467,8G  0 part 
│ └─luks-uid1                                       254:0    0 467,8G  0 crypt /
└─nvme0n1p3                                         259:3    0   8,8G  0 part 
  └─luks-uid2                                       254:1    0   8,8G  0 crypt [SWAP]

Extract of /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet cryptdevice=UUID=uid1:luks-uid1 root=/dev/mapper/luks-uid1 resume=/dev/mapper/luks-uid1 apparmor=1 security=apparmor udev.log_priority=3 acpi_backlight=vendor amd_iommu=on"

What I tried so far:

  1. Add new LUKS-key with ykfde-enroll to the root and swap partition

  2. Change /etc/ykfde.conf

  3. Change /etc/mkinitcpio.conf:

     HOOKS=(... ykfde encrypt ...)

When I started the system after these changes I get the familiar grub prompt to enter my passphrase. After that I get a message from ykfde that the partitions have already been decrypted.

I hope someone knows how I could set it up easily.

Kind regards


Did you find some answers since then?
In your case, without the yubikey part, did you set up multiple passphrase for each partition (/, /home and swap)?

Sorry for the late reply: I set the passphrase for the system partition during the installation and configured the home partition according to this post: askubuntu[dot]com/a/1035703 (I know it’s Ubuntu, but it works too :blush:) But at the moment I stopped looking into the 2FA-LUKS topic.